Last Updated: February 6, 2026
Effective Date: February 6, 2026
lluna ("we", "us", "our", "Company") respects your privacy and is committed to protecting your personal data. The present Privacy Policy explains how we collect, use, disclose, and safeguard information when you access and use our website located at lluna.app and the associated AI-powered workspace services (collectively, the "Service", "Platform").
By accessing or using the Service, you acknowledge that you have read and understood the practices described in the present Policy. If you do not agree with our data handling practices, you must discontinue use of the Platform immediately.
lluna acts as the data controller for personal data collected through the Service. We determine the purposes and means of processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Swedish data protection legislation.
For questions, concerns, or requests regarding your personal data or the present Policy, contact us at:
Email: info@lluna.app
Legal Entity: lluna
Location: Sweden
Supervisory Authority: Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, "IMY"), available at www.imy.se.
We collect several categories of personal data depending on how you interact with our Service.
When you create an account, we collect information necessary to establish and maintain your user profile, including:
When you subscribe to a paid plan, our payment processor Stripe collects and processes:
We do not directly store complete payment card details on our servers. Payment processing is handled by Stripe in accordance with PCI-DSS standards. We retain transaction identifiers and subscription status information.
During your use of the Service, we process:
We automatically collect certain technical data when you access the Platform:
When you contact our support team, we collect:
We use cookies and similar technologies to enhance functionality and analyze Service usage. Details regarding cookies are provided in Section 9 of the present Policy.
Under GDPR Article 6, we process your personal data based on the following legal grounds:
Processing is necessary to perform our contractual obligations under the Terms and Conditions, including:
Where we rely on consent, we obtain your freely given, specific, informed, and unambiguous agreement through clear affirmative action. You may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
Examples include:
We process certain data based on our legitimate business interests, provided such interests do not override your fundamental rights and freedoms. We conduct and document legitimate interest assessments as required by IMY guidance.
Legitimate interests include:
We process personal data where necessary to comply with legal obligations, including:
We process your personal data for the following purposes:
Service Provision: Operating and maintaining the Platform, including AI chat functionality, document creation, deadline tracking, and export features.
Account Management: Creating, maintaining, and securing user accounts, managing subscriptions, processing upgrades or downgrades, and handling cancellations.
Payment Processing: Processing subscription payments, managing billing cycles, issuing invoices, and handling refunds where applicable.
Communication: Sending transactional emails regarding account activity, subscription changes, service updates, and responding to support inquiries.
Service Improvement: Analyzing usage patterns to enhance features, fix bugs, improve user experience, and develop new functionality.
Security and Fraud Prevention: Detecting and preventing unauthorized access, fraudulent transactions, abuse of the Service, and ensuring platform integrity.
Legal Compliance: Meeting regulatory obligations, responding to legal process, enforcing our Terms and Conditions, and protecting our rights.
We do not sell your personal data to third parties. However, we share data with service providers necessary to deliver the Platform's functionality.
OpenAI (GPT-Model): Processes text input and generates AI-powered responses for Pro and Ultimate users. User prompts and relevant conversation context are transmitted to OpenAI's servers for processing in accordance with applicable data protection laws and OpenAI's data processing terms.
Anthropic (Claude): Processes text input and generates AI-powered responses. User prompts and relevant conversation context may be transmitted to Anthropic's servers for processing in accordance with applicable data protection laws and Anthropic's privacy documentation and terms.
Google (Gemini): Processes text input and generates AI-powered responses. User prompts and relevant conversation context may be transmitted to Google's servers for processing in accordance with applicable data protection laws and Google's privacy documentation and terms.
DeepSeek API: Processes text input and generates AI chat responses. User queries and conversation context are transmitted to DeepSeek servers for processing.
Stripe: Processes all payment transactions. Stripe collects and processes payment information according to its privacy policy and terms of service.
Strato Email: Handles customer support communications and transactional emails.
Netlify: Serves as the hosting environment for the Platform.
Each third-party service provider is contractually bound to process data only for specified purposes and to implement appropriate security measures. We conduct due diligence on service providers to ensure GDPR compliance.
We may disclose personal data where required by law, court order, regulatory authority, or legal process. We may also share data to enforce our Terms and Conditions, protect our rights and property, prevent fraud, or protect user safety.
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to successor entities. We will notify you of such changes via email or prominent notice on the Platform.
The Service is operated from Sweden within the European Economic Area (EEA). However, certain third-party service providers may process data outside the EEA.
Where personal data is transferred to countries not recognized by the European Commission as providing adequate data protection, we implement appropriate safeguards, including:
You may request information about specific safeguards implemented for international transfers by contacting info@lluna.app.
We retain personal data only for as long as necessary to fulfill the purposes described in the present Policy or as required by law.
Account Data: Retained for the duration of your active account plus thirty (30) days following account closure to allow reactivation. After this period, personal data is permanently deleted unless retention is required for legal compliance.
Payment Records: Retained for seven (7) years in accordance with Swedish tax and accounting legislation.
User Content: Retained while your account is active. Upon account deletion, content is removed within thirty (30) days from our active systems. Backup copies may persist for up to ninety (90) days before permanent deletion.
Communication Records: Support correspondence is retained for three (3) years for quality assurance and legal purposes.
Technical Logs: Retained for twelve (12) months for security, debugging, and service improvement purposes.
You may request earlier deletion of your data by exercising your right to erasure under GDPR Article 17, subject to legal exceptions.
As a data subject under GDPR, you possess the following rights regarding your personal data:
You may request confirmation of whether we process your personal data and obtain a copy of such data along with information about processing activities.
You may request correction of inaccurate personal data or completion of incomplete data.
Under certain circumstances, you may request deletion of your personal data, including where data is no longer necessary for original purposes, consent is withdrawn, or processing is unlawful.
You may request limitation of processing where you contest data accuracy, processing is unlawful but you oppose deletion, or you need the data for legal claims.
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit such data to another controller. In accordance with the EU Data Act (Regulation (EU) 2023/2854), which became fully applicable on September 12, 2025, we facilitate data portability and switching between service providers.
You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Where processing is based on consent, you may withdraw such consent at any time without affecting lawfulness of prior processing.
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) if you believe our processing violates GDPR. Contact IMY at www.imy.se or by telephone at +46 8 657 61 00.
Exercising Your Rights: To exercise any of these rights, contact us at info@lluna.app. We will respond to requests within one (1) month of receipt. Where requests are complex or numerous, we may extend this period by two (2) additional months with notification.
The Platform uses cookies and similar technologies in accordance with the Swedish Electronic Communications Act and the ePrivacy Directive.
Strictly Necessary Cookies: Essential for Platform operation, including authentication, security, and basic functionality. These cookies do not require consent as they are necessary for service provision.
Functional Cookies: Enhance user experience by remembering preferences and settings. Consent is required for these cookies.
Analytics Cookies: Currently, we do not use Google Analytics or similar analytics tools. Should we implement analytics in the future, we will obtain prior consent through our cookie consent mechanism.
Upon your first visit, we present a cookie consent banner requiring active opt-in for non-essential cookies. Pre-checked boxes and implied consent through continued browsing are not used. You can modify your cookie preferences at any time through browser settings or our cookie management tool.
Consent must be freely given, specific, informed, and unambiguous through clear affirmative action as required by CJEU guidance and IMY enforcement priorities.
Most browsers allow you to refuse or accept cookies through settings. Blocking strictly necessary cookies may impair Platform functionality. Instructions for managing cookies are available in your browser's help documentation.
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.
Security measures include:
Despite these measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security but continuously monitor and improve our security posture.
In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay as required by GDPR Article 34. We will notify IMY of qualifying breaches within seventy-two (72) hours of becoming aware.
The Service is not directed to individuals under the age of thirteen (13). We do not knowingly collect personal data from children below this age without verifiable parental consent.
Sweden has set the digital age of consent at thirteen (13) years for information society services under GDPR Article 8. For users between ages thirteen (13) and eighteen (18), we recommend obtaining parental guidance before using the Service.
If we become aware that we have collected personal data from a child without proper consent, we will take steps to delete such information promptly. Parents or guardians who believe we have collected data from a child may contact us at info@lluna.app.
We reserve the right to modify the present Privacy Policy at any time to reflect changes in our practices, legal requirements, or service functionality. Material changes will be communicated via email to your registered address or through prominent notice on the Platform at least thirty (30) days before taking effect.
Your continued use of the Service after modifications become effective constitutes acceptance of the revised Policy. We encourage you to review the Policy periodically. The "Last Updated" date at the beginning indicates when the Policy was most recently revised.
We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you as defined by GDPR Article 22.
While the Platform incorporates AI features, these tools assist rather than replace human decision-making. AI-generated outputs are provided as suggestions and users retain full control over content creation and usage.
We adhere to GDPR principles of data minimization and purpose limitation, collecting only data necessary for specified purposes and avoiding further processing incompatible with original purposes.
For questions, concerns, or requests related to personal data processing or the present Privacy Policy, contact our data protection team:
Email: info@lluna.app
Response Time: We endeavor to respond to all privacy inquiries within five (5) business days.
By using the Service, you acknowledge that you have read and understood how we collect, use, and protect your personal data as described in this Privacy Policy.